openvscode-server icon indicating copy to clipboard operation
openvscode-server copied to clipboard

Published 20 hours ago verified publisher icon gitpod-io

Cannot run Docker example without root.

Open karlbateman opened this issue 3 years ago • 9 comments

Does this issue occur when all extensions are disabled?: Yes/No

  • VS Code Version: 1.61.0
  • OS Version: Ubuntu 20.04 LTS

Steps to Reproduce:

Run docker run -it --init -p 3000:3000 -v "$(pwd):/home/workspace:cached" gitpod/openvscode-server:1.61.0 from the terminal and receive the following in the terminal:

[main 2021-10-10T13:13:39.477Z] rejected promise not handled within 1 second: Error: EACCES: permission denied, mkdir '/home/workspace/.openvscode-server'
[main 2021-10-10T13:13:39.482Z] stack trace: Error: EACCES: permission denied, mkdir '/home/workspace/.openvscode-server'
[main 2021-10-10T13:13:39.482Z] [Error: EACCES: permission denied, mkdir '/home/workspace/.openvscode-server'] {
  errno: -13,
  code: 'EACCES',
  syscall: 'mkdir',
  path: '/home/workspace/.openvscode-server'
}

karlbateman avatar Oct 10 '21 13:10 karlbateman

Ah, running it as a regular user with the ability to interact with Docker is the cause. Running the command with sudo or as root works as expected. I'm using Docker 20.10.9, build c2ea9bc and have used the dockerd-rootless-setuptool.sh install to use Docker without root.

karlbateman avatar Oct 10 '21 13:10 karlbateman

For what it's worth, I added my normal Linux user account to the docker group and run all my Docker stuff as that normal user.

https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user

jimmybrancaccio avatar Oct 12 '21 20:10 jimmybrancaccio

I get this issue even running the docker command as the root user. It doesn't seem to matter if I run it in /tmp or the /root directory.

I'm running this on a fresh Ubuntu 20.04 instance (in Digitalocean) with all updates and Docker 20.10.16 using the latest tag of the opencode-server project.

josegonzalez avatar May 29 '22 18:05 josegonzalez

over 1 year and issue still open? anyone able to get pass this error?

encryptblockr avatar Dec 31 '22 11:12 encryptblockr

I am still unable to replicate this issue using the method I described here.

I've just spun up a fresh DigitalOcean droplet using Ubuntu 20.04 today. I installed Docker as outlined here and added my normal Linux user account to the Docker group (adduser jimmy and usermod -aG docker jimmy). I logged into the droplet as my normal Linux user account, cloned a repository into my home directory (git clone https://github.com/jimmybrancaccio/cmangos-starter-website.git) and ran:

cd cmangos-starter-website/
docker run -it --init -p 3000:3000 -v "$(pwd):/home/workspace:cached" gitpod/openvscode-server

The output:

Unable to find image 'gitpod/openvscode-server:latest' locally
latest: Pulling from gitpod/openvscode-server
6e3729cf69e0: Pull complete
1c825b7c3eae: Pull complete
19a67ff2d29b: Pull complete
dea6bded6195: Pull complete
4f4fb700ef54: Pull complete
ee7229c78a44: Pull complete
aac9db3cc3fa: Pull complete
19e817414dd7: Pull complete
Digest: sha256:871b4c1861a60d0e12b18f0ecf89128282ab43fe8d1ab5d37f94c27d96ca445f
Status: Downloaded newer image for gitpod/openvscode-server:latest
Server bound to 0.0.0.0:3000 (IPv4)
Extension host agent listening on 3000

[15:56:55]




Web UI available at http://localhost:3000/
[15:56:55] Extension host agent started.
[15:56:55] Started initializing default profile extensions in extensions installation folder. file:///home/workspace/.openvscode-server/extensions
[15:56:55] Completed initializing default profile extensions in extensions installation folder. file:///home/workspace/.openvscode-server/extensions
[15:57:12] [1.2.3.4][791d4f81][ManagementConnection] New connection established.
[15:57:13] Using the in-memory credential store as the operating system's credential store could not be accessed. Please see https://aka.ms/vscode-server-keyring on how to set this up. Details: libsecret-1.so.0: cannot open shared object file: No such file or directory
[15:57:14] [1.2.3.4][acdd97e5][ExtensionHostConnection] New connection established.
[15:57:14] [1.2.3.4][acdd97e5][ExtensionHostConnection] <41> Launched Extension Host Process.
[15:57:29] [1.2.3.4][791d4f81][ManagementConnection] The client has disconnected gracefully, so the connection will be disposed.
[15:57:29] [1.2.3.4][acdd97e5][ExtensionHostConnection] <41> Extension Host Process exited with code: 0, signal: null.
[15:57:29] [1.2.3.4][26ee350d][ManagementConnection] New connection established.
[15:57:30] [1.2.3.4][17335dd8][ExtensionHostConnection] New connection established.
[15:57:30] [1.2.3.4][17335dd8][ExtensionHostConnection] <61> Launched Extension Host Process.
File not found: /home/.openvscode-server/node_modules/vscode-regexp-languagedetection/dist/index.js
Screenshot 2023-01-04 at 10 02 26

jimmybrancaccio avatar Jan 04 '23 16:01 jimmybrancaccio

I encountered such thing on Fedora 37. The cause is SELinux that is enabled on Fedora and RedHat distros.

Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).

It does not allow containers to write and read from mounted directories if they are not under /usr path on the host machine (no matter what permissions you set using chmod command).

When using SELinux for controlling processes within a container, you need to make sure any content that gets volume mounted into the container is readable, and potentially writable, depending on the use case. By default, Docker container processes run with the system_u:system_r:svirt_lxc_net_t:s0 label. The svirt_lxc_net_t type is allowed to read/execute most content under /usr, but it is not allowed to use most other types on the system. If you want to volume mount content under /var, for example, into a container you need to set the labels on this content. In the docker run man page we mention this.

-- source article

to work around that you should run chcon -Rt svirt_sandbox_file_t /<your_dir_path> on the dir that you going to use as volume (on the host machine) .

ImHereByChance avatar Mar 20 '23 19:03 ImHereByChance

Having the same issue running on a clean Ubuntu 22.04 instance in Oracle Cloud (host platform: linux/arm64/v8). Running with sudo or adding user to docker group did not change a thing in the output.

pliniozanini avatar Jul 02 '23 03:07 pliniozanini

Here is what worked: mkdir data sudo chmod 777 ./data

version: "2.1"
services:
  code-server:
    image: gitpod/openvscode-server
    container_name: openvscode_container
    volumes:
      - ./data:/home/workspace:cached
    ports:
      - 3000:3000
    restart: unless-stopped

docker compose up -d

nt202 avatar Aug 02 '23 15:08 nt202

When I bind mount my working directory (i.e. $pwd) to /home/workspace inside the container, the uid and gid of /home/workspace is the same with those of $pwd in my host.

However, both uid and gid of /home/workspace inside the container is expected to be 1000 (specified in Dockerfile).

I remove the -v option in docker run, and it works.

Repeater9 avatar Dec 26 '23 11:12 Repeater9